我刚接触grok
和ELK
两天。我正在努力根据空间分解日志消息,使它们在logstash
中显示为不同的字段。
我的输入模式是:2022-02-11 11:57:49 - app - INFO - function_name=add elapsed_time=0.0296 input_params=6_3
我希望在logstash/kibana中看到function_name
、elapsed_time
和input_params
的不同字段。
现在,我有下面的.conf
input{
file{
path => "/path/to/log/file"
start_position => "beginning"
}
}
filter{
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log-level} %{(?<function_name>[^.]*)\.(?<elapsed_time>[^.]*)\.(?<input>[^.]*)}"}
}
date {
match => ["timestamp", "ISO8601"]
}
function_name {
match => ["function_name", "DATA"]
}
elapsed_time {
match => ["elapsed_time", "BASE16FLOAT"]
}
input {
match => ["input", "DATA"]
}
}
output{
elasticsearch{
hosts => ["localhost:9200"]
index => "math_apis"
}
stdout{codec => rubydebug}
}
但这只会在logstash
中生成以下消息
{
"host" => "hostname",
"@timestamp" => 2022-02-11T06:27:49.404Z,
"message" => "2022-02-11 11:57:49 - app - INFO - function_name=add elapsed_time=0.0296 input_params=6_3",
"path" => "path/to/log/file",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
]
}
1条答案
按热度按时间s5a0g9ez1#
You can use the following pattern:
%{TIMESTAMP_ISO8601:timestamp}
-timestamp
field-
- a literal string\S+
- any one or more non-whitespace chars-
- a literal string%{LOGLEVEL:log_level}
-LOGLEVEL
pattern- function_name=
- a literal string%{NOTSPACE:function_name}
-function_name
field of one or more non-whitespace charselapsed_time=
- space andelapsed_time=
string%{NOTSPACE:elapsed_time}
-elapsed_time
field of one or more non-whitespace charsinput_params=
- literal string%{NOTSPACE:input}
-input
field of one or more non-whitespace chars.See more about Grok patterns here .
Test output: